What should we be thinking about on National Privacy Day?
January 28, 2019
Sam Curry, chief security officer, Cybereason, says that on National Privacy Day we should not just think about the minimum requirements of privacy legislation but rather about the world we’re building and handing to our children.
The constant drumbeat of breaches is desensitizing us collectively to the importance of identity security and privacy in our daily lives. I heard a ridiculous number the other day about how “4 billion identities” have been stolen in the United States in the last decade alone, which translates into every man, woman and child having their identity stolen 12.3 times.
Hyperbole helps no one in this situation and that sort of number just sounds apocalyptic. However, it loses all meaning when most people think about how little the downside of this has affected them day-to-day.
The best way to think about the privacy issues is to imagine the world using Tinkertoy as an analogy. Tinkertoy sets are used to build structures made up of hubs and connecting rods. This is analogous to us all with the hubs or “nodes” being people, objects, computers and data and the rods or “edges” being the relationship among us like “child of,” “owned by” or “used by.”
This massive structure could be taken to a ridiculous extreme and could, theoretically, represent the entire world in a shifting, powerful construct. We have a branch of mathematics ideal to this sort of mapping called Graph Theory; and this is exactly what data aggregators like Google, LinkedIn and Facebook do - they mine the metadata about the structure and sell it for money.
It costs money to learn about this supergraph that exists, shifting theoretically and combining us all. Some of the metadata we want available for things like public safety and law enforcement, cheaply and easily. Others, we want to share selectively with like-minded people or for products and services we like. Finally, some of it we may not want to share, could be recorded wrong or we may not even know about!
Privacy is about controlling the metadata about the “real” graph structure and Tinkertoy that is the sum total of the world and all its “things.” Specifically it’s about the rule of law and about the cost to obtain this information.
We want law enforcement, under the right conditions, to get data as defined by law; but we also do not want anyone else lowering the costs of obtaining any of this information. We also want to put people back in the center, controlling the nodes and edges that are about them or related to them: their family, their friends, their interests, their things.
GDPR has done a lot to advance the cause of privacy, and now we’ve seen the first large fine in France interpreting GDPR as Google was fined $57 million. However, it’s not just about protecting labeled “private” information, it’s also about making sure that privacy in general is not eroded. This is about a hippocratic oath-like commitment to not enable mapping the graph and collecting metadata more cheaply than currently and about not causing privacy compromises.
This might be hard for many to understand and even harder to enforce, but the distinction is important: we should not only obey the letter of the laws and regulations but should lean in and do no harm to the mission of putting the elements of the supergraph in control of the metadata collected and used about them. This is an ongoing struggle. It is vital to understand rather than just paying lip service to the regulatory language of the day or progressively watching our privacy erode as we downplay its importance and become more and more desensitized by the minutiae of the latest breach.
National Privacy Day is a time to take a look at the current state of privacy and to set the direction and tone for the future. This January 28th, let’s stop and think not just about the minimum requirements of privacy legislation but rather about the world we’re building and handing to our children.
How easy or hard do we want the collection of privacy metadata to be tomorrow, in 10 years or in 100 years? Because while we can do the bare minimum and can re-architect for the future, it behooves us to take the long view here and see privacy for what it is, how big it is and how important it is to all of us.